Location Data Brokers and Threats to Americans' Privacy
There is a multi-billion-dollar industry of companies collecting and selling location data. Here's how it threatens Americans.
I am testifying in the Massachusetts state legislature this afternoon about the US location data broker industry — companies that quietly collect and then sell Americans’ (and others’) location data — and threats to Americans’ freedoms and civil rights, privacy, and safety. I will also, in my individual capacity, discuss a bill that Massachusetts is considering to tackle this problem. Here’s a preview of my written testimony, why this issue matters, and why companies handling location data should more responsibly protect it from brokerage and abuse. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
There is a multi-billion-dollar market for location data which threatens Americans’ civil rights, privacy, and physical safety — and Massachusetts has an opportunity to become a nationwide leader in preventing these extraordinary privacy abuses.
The Location Data Market and Threats to Americans’ Freedoms, Privacy, and Safety
While some companies are engaged in responsible and limited uses of location data, gathered from consumers with their awareness, many other companies comprise a multi-billion-dollar market of gathering, sharing, and selling Americans’ location information. This includes data brokers selling US persons’ smartphone location data — ranging from aggregated data on building foot traffic to real-time, individually identified smartphone geolocations. Massachusetts has an opportunity to become a nationwide leader in preventing these extraordinary privacy abuses.
In 2021, the location data market was by some estimates worth $12-16 billion globally. The technology news outlet The Markup has published its own list of significant companies in the location data market, which include 1010Data, Acxiom, Babel Street, Foursquare, Gravy Analytics, Kochava, Placer.ai, SafeGraph, and Venntel as well as data broker clearinghouses like the Amazon Web Services Data Exchange and Datarade. It is a dynamic industry. Location data brokers continue to crop up, and existing location data brokers keep expanding their collection of geolocation data, such as gathering more precise data and expanding into new countries.
Many data brokers that sell individuals’ location data acquire that data from mobile applications on individuals’ phones. Data brokers might pay a mobile app developer to include the broker’s software development kit (SDK), or prepackaged app-building code, in the developer’s app. The broker can then sit within the app and gather data directly on users, without them knowing. Users may download an app, grant the app some permissions on their devices, and never realize that the app developer is not the only one receiving those permissions (e.g., to a smartphone’s GPS). Many apps that gather location data will also forego the data broker SDK path. Instead, these apps collect location data on their own users, and once the data is on the app developer’s servers, the developer will sell it directly to a data broker through a server-to-server transfer. Users have no visibility into that practice. App stores do not presently have technical visibility into that transfer, either.
Location data is one of the most sensitive kinds of data that companies gather, infer, aggregate, sell, and share about US individuals. This is for at least three reasons:
It allows an individual or organization to follow or hunt down a specific person;
Physical movements over time are highly unique to individuals; and
Location data enables an individual or organization to derive additional information about a person based on their movements.
The sale of smartphone location data threatens Americans’ freedoms and civil rights, privacy, and safety. Law enforcement agencies can purchase this data without warrants, public disclosure, or robust oversight. Organizations and individuals intent on doing harm can purchase this data for a range of purposes — everything from tracking and outing closeted LGBTQ+ people to following Americans as they visit places of worship, addiction treatment centers, domestic violence shelters, military bases, their children’s schools, and more. All of this invades individuals’ privacy and potentially exposes highly sensitive information about them, including religion, sexual orientation, financial status, health conditions, and signs of marital strife.
Many data brokers, when asked about their data practices, will claim that Americans “consent” to the packaging and sale of their data (including smartphone location data). In particular, brokers will often point out that many apps, websites, and other companies collecting data will include clauses in their privacy policies and terms of service that refer to the possibility of that first-party collector sharing data on consumers. This is a bad-faith and patently ridiculous argument. Most consumers do not read privacy policies, and the burden of doing so is overwhelming. Further, even if consumers did, the burden is on the individual to fight systemic data broker surveillance practices — which are currently inescapable in the US regulatory system.
Massachusetts is considering a bill to address these challenges: H.357 / S. 148, or “An Act protecting reproductive health access, LGBTQ lives, religious liberty, and freedom of movement by banning the sale of cell phone location information.” Passing a robust and appropriately scoped version of this bill would be a major step towards preventing these kinds of harms to individuals and to society.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.